Articles in this section

Integrate GitHub Container Registry

This topic contains the following sections.

Container Registry Support

GitHub Container Registry integrations support:

  • Registry notification - scans occur for each image push
  • On-demand scans via the API

Integration Setup Overview

Integration setup consists of the following steps:

  1. Create a container registry integration in the Lacework Console
  2. (With notifications) Add a webhook in GitHub for registry notification
    or
    (Without notifications) Set up image assessment through the Lacework API

Create a GitHub Container Registry Integration in Lacework

  1. Log in to the Lacework Console with an account with admin permissions.
  2. Navigate to Settings > Integrations > Container Registries.
  3. Click + Create New.
  4. From the Registry Type drop-down, select the appropriate registry and click Next.
  5. Complete the required settings.
  6. (Optional) Subscribe to registry notifications by selecting Subscribe to Registry Notifications.
  7. Click Next.
  8. Complete any optional settings and click Save. The integration status displays Integration Successful only after its first assessment completes.
  9. If you subscribed to notifications, go to Registry Notification. Otherwise, go to Set Up Image Assessment Through the API to set up on-demand scans.

Settings

Setting Name Description
Registry Type Specify the registry type from the drop-down, in this case, select GitHub Container Registry.
Name Specify a unique name for the container registry in the Lacework Console.
Username Specify a user that has permissions to pull the images (that will be assessed) from the container registry.
Password Specify the GitHub token. To generate a new token, go to your organization and navigate to Settings > Developer settings > Personal access tokens > Generate new token. The required permission is read:packages.
SSL Select the checkbox if the registry uses SSL. You can use either a valid SSL certificate issued by a trusted Certificate Authority (CA) or a self-signed certificate. If this is unselected, you are using an unencrypted communication channel.
Registry Domain Displays a drop-down with the field ghcr.io for the GitHub Container Registry.
Limit Number of Images per Repo Select the maximum number of newest container images to discover/assess per repository.
Scan only these repositories If you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period.
Scan only these image tags If you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND.
Scan only images with these labels If you do not want to assess all images in this registry, specify key:value pairs so that only images with matching label key:value pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: key:value. If you specify tag and label limits, they function as an AND.

Registry Notification

Lacework can receive notifications that the registry sends in response to events that happen within the registry. When Lacework receives manifest push notifications, Lacework performs an assessment.

When the integration subscribes to notifications, you must add a webhook to include the additional information provided by Lacework.

When you create/edit the integration, the following additional information is available:

  • URL
  • Authorization Token - an integration-specific, long running server token.

The URL and token are available on the Container Registry page. Click the integration name and copy both items from the details pane. The information is required in the next section.

Each integration can have one token. If the integration unsubscribes from notifications and then subscribes again, Lacework uses the same token.

Add a Webhook to GitHub

If you subscribed to notifications, you must add a webhook to your organization and then add the notification listener URL and authorization token.

  1. In GitHub, navigate to the organization where you want to add a webhook.
    NOTE: You must use an organization webhook. Repository webhooks cannot be used.
  2. Select Webhooks.
  3. Click Add webhook.
  4. For Payload URL, paste the integration's URL from the Lacework Console, such as:
    https://YourLacework.lacework.net/api/v1/external/vulnerabilities/container/webhook/ghcr
  5. For Content type, select application/json.
  6. For Secret, paste the integration's authorization token.
  7. For Which events would you like to trigger this webhook?, choose Let me select individual events.
    Then select registry_package from the list of events.
  8. Select Active.
  9. Click Add webhook.

Set Up Image Assessment Through the API

If you did not subscribe to notifications, you can, for example, make an API call each time an image is built so that Lacework assesses it.

For information about setting up container image assessment, see the Vulnerability API section in the Lacework API documentation.